Overview of Security and Storage for Oracle Application Server for DRDA

Oracle Application Server for DRDA uses the security and authorization models of the Oracle Database; this ensures correct SQL access to user data.

DRDA specifies two primary authorization models: REQUESTER and OWNER. They are specified as attribute of the package, PKGATHRUL.

In the REQUESTER model, currently logged-in user is the authorization control.

The REQUESTER model is also called Dynamic SQL Rules, and it is used for executing the SQL that is constructed at runtime. This is the security model that Oracle Database implements for SQL access.

In the OWNER model, a stored USERID (package owner, PKGOWNID) instantiates a different USERID for the duration of the statement execution.

The OWNER model is also called Static SQL Rules, and it is used for pre-bound SQL within the package. Oracle Database does not implement an equivalent security model.

Because Oracle Database only implements one security model, all SQL within a package, both stored and dynamically created, is executed under the Dynamic SQL Rules model. This does not override the instantiation modes of any PL/SQL objects created with the AUTHID DEFINER attribute.

Authentication and Encryption in Oracle Application Server for DRDA

DRDA requires that user authentication (ACCSEC(SECMEC), SECCHK) be performed before any access to the database (ACCRDB) may be performed.

Authentication Services

DRDA provides two types of services for authentication: dedicated use, and multiplexed use.

Under dedicated use, the AS provides access to a single, dedicated database, without an option to connect to another database. The rdbnam passed later in the ACCRDB must match the target database name; otherwise, the session access fails with an RDBAFLRM message.

In this mode, the ACCSEC does not require the rdbnam instance variable to perform authentication because there is no choice to be made between databases. Thus, the AS is free to make a session association with the single database at the time of ACCSEC processing, and to verify that the requested security mechanism (SECMEC) is available. When the SECCHK command is sent, the initial database session is maintained and full authentication is performed.

This mode must be used with older ARs that do not support multiplexed servers. If the AR supplies the rdbnam in this mode, it must be validated against the connected database.

Under multiplexed mode, the AS provides access to many databases at the same time. In this mode, the rdbnam instance variable in the ACCSEC is required to validate the requested security mechanism. The AS connects to the requested database for security validation. When the SECCHK command is sent, the initial database session is maintained and full authentication is performed.

This mode is supported with newer ARs, which supply the rdbnam as part of the ACCSEC. If the AR does not supply the rdbnam in the ACCSEC in this mode, it generates an error and an RDBAFLRM response is sent to the ACCSEC.

Encryption Services

Oracle Application Server for DRDA supports the following security mechanisms:

EUSRIDPWD – Encrypted User ID and Password Mechanism

EUSRIDNWPWD – Encrypted User ID, Password, and New Password Mechanism

USRIDPWD – User ID and Password Mechanism

USRIDNWPWD – User ID, Password, and New Password Mechanism

USRENCPWD – User ID and Password Encrypted Mechanism

After the security mechanisms are verified as accessible, the actual security authorization (SECCHK) can proceed.

Database Roles in Oracle Application Server for DRDA

Oracle Application Server for DRDA uses the following two roles: DRDAAS_ADMIN_ROLE and DRDAAS_USER_ROLE.

DRDAAS_ADMIN_ROLE

The DRDAAS_ADMIN_ROLE role allows access to and use of the DBMS_DRDAAS_ADMIN package. It is a DBA-level privilege specific to Oracle Application Server for DRDA. Administrators who manage remote DRDA access to the Oracle database must be granted this role.

DRDAAS_USER_ROLE

The DRDAAS_USER_ROLE role permits an Oracle Application Server for DRDA user access to the DBMS_DRDAAS package for the following purposes:

SYSIBM User

All tables, views, and packages supplied and used by Oracle Application Server for DRDA are under the user schema SYSIBM. As part of the installation of Oracle Application Server for DRDA packages and tables, this user id is created as a locked account, and is set to use the SYSIBM tablespace for its storage.

Scripting on this page enhances content navigation, but does not change the content in any way.